version 1.15, 1998/12/20 17:08:45 |
version 1.16, 1998/12/21 21:48:41 |
|
|
<code>strcat/strcpy/strcmp/sprintf</code>. In general, |
<code>strcat/strcpy/strcmp/sprintf</code>. In general, |
<code>sprintf</code> should be replaced with <code>snprintf</code>. |
<code>sprintf</code> should be replaced with <code>snprintf</code>. |
|
|
<li>Never use filenames when you need security. There are numerous race |
<li>Never use filenames insteaad of true security. There are numerous race |
conditions where you don't have proper control. For instance, an attacker |
conditions where you don't have proper control. For instance, an attacker |
who already has user privileges on your machines may replace files in |
who already has user privileges on your machines may replace files in |
<code>/tmp</code> with symbolic links to more strategic files, such as |
<code>/tmp</code> with symbolic links to more strategic files, such as |
<code>/etc/passwd</code>. |
<code>/etc/passwd</code>. |
|
|
|
<li>For instance, both <code>fopen</code> and <code>freopen</code> |
|
<strong>create a new file or open an existing file</strong> for |
|
writing. An attacker may create a symbolic link from |
|
<code>/etc/paswd</code> to <code>/tmp/addrpool_dump</code>. The |
|
instant you open it, your password file is hosed. Yes, even with |
|
an <code>unlink</code> right before. You only narrow the window |
|
of opportunity. Use <code>open</code> with |
|
<code>O_CREAT|O_EXCLUDE</code> and <code>fdopen</code> instead. |
|
|
<li>For instance, one very common problem is the <code>mktemp</code> |
<li>Another very common problem is the <code>mktemp</code> |
function. Head the warnings of the bsd linker about its uses. |
function. Head the warnings of the bsd linker about its uses. |
<strong>These must be fixed</strong>. |
<strong>These must be fixed</strong>. |
This is not quite as simple as <code>s/mktemp/mkstemp/g</code>. <br> |
This is not quite as simple as <code>s/mktemp/mkstemp/g</code>. <br> |